How to Write Secure Code in C

WHITE PAPER How to Write Secure Code in C

Introduction

Software security is a top concern today. You can’t risk any security vulnerabilities — particularly if you’re developing software for embedded systems. And that means your code needs to be secure and free of coding errors.

When you think about software security, you For example: probably think about passwords and access control. Or viruses, spoofing, and phishing attacks. char buff[10]; buff[10] = ‘a’; These are common security concerns. And secu-

rity features, such data encryption and authenti- Here, an array of 10 bytes (index 0 to 9) is declared. cation protocols, mitigate these vulnerabilities. But the program then attempts to write a charac- ter one byte beyond the array’s boundary. If the But even if you’ve implemented these security memory neighboring the array is used later in the features, software can remain vulnerable. program, then it will lead to unexpected behavior.

To ensure secure software, you need to start at This is bad enough. And it can get worse. A buffer the source — the code level. Otherwise, coding overflow can allow a hacker to take control of errors will compromise your program. a system.

Coding Errors Compromise Security How Buffer Overflow Invites Hackers The Software Engineering Institute (SEI) Hackers can use buffer overflow errors to cause estimates that up to 90% of reported security a program to crash, corrupt the data, or simply incidents result from exploiting vulnerabilities in steal information. software code or design. And these vulnerabilities allow hackers to access private data or take When a program runs, it uses an area of memory unauthorized control of a system. referred to as the ‘stack’. Variables within the scope of the currently executing function will be So, a simple coding error can lead to a hacking stored on the stack. The address of the function threat. A hacker could take control of your call will also be stored to allow return statements computer, your home automation device, your to return to the correct location. home entertainment device, or your car. Worse still, a hacker could even take control of a nuclear When the function returns to the calling function, power plant. the program execution continues from where it left off. So, if the return address on the stack is EXAMPLE OF A SECURITY VULNERABILITY: modified to point to some alternative malicious BUFFER OVERFLOW IN C instructions, then those instructions will be To illustrate how this might happen, let’s look at executed when the function returns. just one example. Buffer overflow is a common security vulnerability in C programming. If the program is receiving data — and there is no check in place to ensure that the input buffer What Is Buffer Overflow? cannot overflow — then it will be possible to Buffer overflow occurs when data is written design an input, or ‘payload’, that contains mali- outside the boundary of the allocated memory.

cious code. This overflows the input buffer and The top 25 list also adds a small set of the most overwrites the return address on the stack with effective ‘Monster Mitigations’. This helps devel- the address of the malicious code. opers reduce or eliminate entire groups of the top 25 weaknesses. It also helps with many of the PREVENTING SECURITY VULNERABILITIES other 800 weaknesses that are documented in the IS CRITICAL CWE list. Preventing security vulnerabilities — such as buffer overflow — is critical. And this can be done CWE focuses on stopping vulnerabilities at by making sure the code itself is written without the source. This is done by educating designers, exploitable gaps. programmers, and testers on how to eliminate common mistakes — before software is even After all, putting stronger locks on your front door is shipped. no use if the windows are left open. So, to improve security, you’ll need to ensure secure code. 2. CERT C You can apply the CERT C coding standard to 4 Ways to Ensure Secure Code in C your code. Writing secure code is important. And when it comes to C programming, there are four key sources of What Is CERT C? information to help you ensure secure code. The CERT C coding standard is published by the CERT Division at the Software Engineering 1. CWE Institute (SEI). SEI is a research and development You can identify security weaknesses from the center operated by Carnegie Mellon University. Common Weakness Enumeration (CWE). It’s primarily funded by the U.S. Department of Defense and the Department of Homeland What Is CWE? Security. CWE is a community-developed list of common software security weaknesses in C. It’s maintained CERT C Security Rules by the MITRE Corporation. This list can be used Secure coding experts continually develop the as a baseline for weakness identification, mitiga- CERT C guidelines on a wiki. tion, and prevention. Each guideline consists of: CWE’s List of Software Security Weaknesses • A title The CWE list prioritizes weaknesses. The top 25 • A description entries are prioritized using input from more than • An example of non-compliant code two dozen different organizations. They evaluate • Examples of compliant solutions each weakness based on frequency and impor-

tance. Many of the weaknesses (in C programs) The guidelines cover coding and implementation listed in CWE relate to buffer overflow. errors, as well as low-level design errors. The aim

is to eliminate in secure coding practices and C Secure Coding Rules undefined behaviors that can lead to vulnerabilities. ISO/IEC TS 179671:2013 includes rules for secure coding in C. It also includes examples for CERT C defines a each rule. vulnerability as: The purpose of C Secure is to specify secure A set of conditions that coding rules that can be automatically enforced. allows an attacker to violate These can be used to detect security flaws in C an explicit or implicit programming. To be considered a security flaw, a security policy. software bug must be triggerable by the actions of a malicious user or attacker.

The defect may be minor. This means it doesn’t Analyzers that implement these rules must be affect the performance or results produced able to effectively discover secure coding errors by the software. But it nevertheless may be — without generating excessive false positives. exploited by an attack. And that results in a significant security breach. 4. MISRA C You can also use MISRA to ensure secure coding RECOMMENDED READING in C. Secure Coding in C and C++ What Is MISRA? by Robert Seacord MISRA provides best practice guidelines for the development of safety-related systems. Its C coding standards have been widely adopted across many industries.

MISRA C Security Rules An essential resource for all C developers. MISRA C:2012 Amendment 1 was published in 2016. It provides additional security guidelines for C programming, including new rules and 3. ISO/IEC TS 17961:2013 “C SECURE” directives. It also includes examples of compliant You can apply the ISO/IEC TS 17961:2013 “C and non-compliant code. Secure” coding rules.

These guidelines can be used to prevent coding What Is ISO/IEC TS 17961:2013? errors that lead to safety issues and security ISO/IEC TS 17961:2013 establishes a set of vulnerabilities. coding rules. These rules enable static code

analyzers to diagnose insecure code beyond the requirements of the language standard.

Why MISRA C Security Rules Are CWE-119: Improper Ideal for Embedded Systems Restriction of Operations MISRA C security rules are ideal for embedded within the Bounds of a systems. That’s because MISRA C security is on Memory Buffer par with that of other secure coding standards for C. Plus, MISRA C is trusted across embedded “The software performs op- systems industries. And it’s a go-to coding stan- erations on a memory buffer, dard in the automotive industry. but it can read from or write

EXAMPLE OF A MISRA C SECURITY RULE to a memory location that MISRA C security rules can prevent coding errors is outside of the intended and security weaknesses, such as buffer overflow. boundary of the buffer.”

Here’s an example of a MISRA C security rule: Following either the MISRA C rule or the CERT rule will ensure secure code — and avoid com- MISRA C Rule 18.1 mon weaknesses in CWE. This is because writing to an out-of-range pointer (or pointer operand) “A pointer resulting from could result in a buffer overflow — and vulner- arithmetic on a pointer oper- able code. Reading from an out-of-range pointer and shall address an element (or pointer operand) could accidentally reveal of the same array as that information to hackers. pointer operand.” So, by ensuring these rules are followed, you’ll avoid serious coding errors. You can enforce This rule does the same thing as the following MISRA and CERT rules by using a static code CERT C rule. analyzer, such as Helix QAC.

ARR30-C COMPARING MISRA C AND OTHER STANDARDS “Do not form or use out-of- This is why the MISRA C coding standard is also ideal for environments where software security bounds pointers or array has more emphasis than safety. subscripts.” In fact, MISRA has published two addenda to the And both relate to multiple CWE weaknesses in MISRA C:2012 standard to help developers map C, one of which is: MISRA rules to the C Secure and CERT C standards.

Comparing MISRA C and C Secure CERT C is designed for C11. MISRA C:2012 was MISRA C:2012 – Addendum 2 shows how each designed for C99. MISRA rule maps to the C Secure rules in ISO/ IEC TS 17961:2013. There are 15 C11-specific rules in CERT C that are out of scope for MISRA C:2012. Of the CERT C rules (within the scope of MISRA C:2012), there are only four that aren’t covered. So, MISRA C covers a large share of security rules from CERT C.

Note: Violations of all four of these rules can be detected automatically using Helix QAC.

Every rule in C Secure is covered by a rule or Write Secure Code With Helix QAC directive in MISRA C. And any static code ana- You can enforce MISRA rules (in C or C++) lyzer (such as Helix QAC) that fully supports automatically with Helix QAC. This significantly MISRA C will also comply with the C Secure reduces the amount of time you need to spend standard. So, you can use the standards inter- performing manual code inspections. So, you’ll changeably for security. free up development resources and deliver your program on time — while improving the quality Comparing MISRA C and CERT C of your software. MISRA C:2012 – Addendum 3 shows how each rule maps to the CERT C rules. See how Helix QAC applies MISRA rules by visiting perforce.com/helix-qac-demo.

About Perforce

Perforce is a leading provider of enterprise scale software solutions to technology developers and development operations (“DevOps”) teams requiring productivity, visibility, and scale during all phases of the development lifecycle. Enterprises across the globe rely on its agile plan- ning and ALM tools, developer collaboration, static code analysis, version control and repository management solutions as the foundation for successful DevOps at scale. Perforce is trusted by the world’s most innovative brands, including NVIDIA, Pixar, Scania, Ubisoft, and VMware. Perforce has offices in Minneapolis, MN, Alameda, CA, Mason, OH, Boston, MA, the United Kingdom, Finland, Sweden, Germany, India, and Aus- tralia, and sales partners around the globe. For more information, please visit www.perforce.com